Re: AW: [Zope-dev] Request typing (to get the xmlrpc layer discussionfinished)
On Monday 17 December 2007, Roger Ineichen wrote: Layers and skins are a security concept. And a very good one. Let me briefly explain what Roger refers to by the word security here. We consider, as I mentioned in my previous mail, the availability of views outside of our control a security risk, because someone could have done a mistake or maliciously created a security hole in a view. By controlling the contents of the layers more explicitly, we have a better idea of the views that are available. Furthermore, skins allow us to control the permission settings of our views; overrides allow this as well, of course. Of course, this in itself is not enough to ensure security, but I hope that tools like the one started in z3c.securitytool will eventually help us with analyzing our public views. Regards, Stephan -- Stephan Richter CBU Physics Chemistry (B.S.) / Tufts Physics (Ph.D. student) Web2k - Web Software Design, Development and Training ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
AW: [Zope-dev] Request typing (to get the xmlrpc layer discussionfinished)
Hi Christian Betreff: [Zope-dev] Request typing (to get the xmlrpc layer discussionfinished) Hi, a couple of weeks ago there was some discussion about the skin/layer support for XML-RPC which I implemented without asking (shame on me). As some time has passed now everybody could have some fresh thoughts about it. Let me first summarise: * Skin and layers should be seen as typing the request. * There are no general objections against having layers for XML-RPC. * There are objections against using ++skin++ for XML-RPC, ++api++ would be fine. [...] I whould be very happy if we could implement the XML-RPC package as a independent server addon. I think not everyone uses XML-RPC and likes to have such a server option built-in. What do you think can you move it to a top level package if you refactor this part. btw, I implemented z3c.json and z3c.jsonprc. This package uses a own JSON-RPC skin type. I was choosing this additional layer implementation because I like to separate the registered methods to such requests. And we do not have the BrowserRequest at this servers at all. We also started to implement some core server applications with only JSON-RPC APIs. There is no browser/page based UI at all installed. All is managed by JSON from another Zope server via remote (JSON-RPC) access. If anybody likes to implement a XML-RPC API without any browser view for a server, I think it should be possible too. Whould be great if you could take a look at z3c.jsonrpc and tell me if there is somethig to improve. Regards Roger Ineichen ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
AW: [Zope-dev] Request typing (to get the xmlrpc layer discussionfinished)
Hi all Betreff: Re: [Zope-dev] Request typing (to get the xmlrpc layer discussionfinished) On Dec 17, 2007 10:32 AM, Janko Hauser [EMAIL PROTECTED] wrote: Oh that would be a new information for me, so I would be very interested, where this is implemented. z3c.baseregistry Yes, that's another component which helps you protect your application from built-in backdoors. In general I can say: - baseregistry allows you to configure different ISite component at a global zcml level. Sites can reuse such sets of global registration in the local instance. And this registration set is not populated global at the site root. - layers allow you to offer predefined sets of configuration ready to reuse. Without them you can only offer global configuration sets which can open backdoors. - skins maps a set of layers to the public and make them traversable. I allways explain it like: Skins and layers are not needed till it comes to security. And I allways say skin and layer is the concept which allows us to separate the model and view and make the view part replacable. If you use the baseregistry it works at the local site level. Of corse you don't need layers and skins if you develop one application and install them on one server. But if it comes to multi skins and even worse different applications on one server, we need layers and skins for security reason. And if you don't use layers and skins, you probably can't install packages which register views at the default skin which your server is using without to open backdoors. Layers and skins are a security concept. And a very good one. Note, the only secure way to setup a mutli application, multi site Zope server is to use layers, sites and the baseregistry. Everything else will make views on different apps available. And this could be a very big security problem. Regards Roger Ineichen ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )